LDAP Create two users with same username in different OUs

0

In my AD, I can't login after i have created two users with same user name - Alex in different OU. They have different sAMAccountName.

Error:

Call method - auehtnticateUser. System.DirectoryServices.DirectoryServicesCOMException (0x8007052E): The user name or password is incorrect.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.DirectorySearcher.FindOne() at LDAP_TestApp.LDAPConnection.AuthenticateUser(String ldapPath, String dn, String userName, String pwd, Boolean isAuthenticated)

However, it seems it is possible to have same username in different OUs based on this link Unique name requirement in AD And my users are having unique DNs.

Problem is gone once i have removed one of the users in any OU.

My code is as followed:

public string AuthenticateUser(string ldapPath, string dn, string
userName, string pwd, bool isAuthenticated)
    {
            string entryPath = (dn.Trim() == string.Empty) ? ldapPath : entryPath = ldapPath + '/' + dn;

            StringBuilder sb = new StringBuilder();
            AuthenticationTypes checkState;
            DirectoryEntry searchRoot;
            if (isAuthenticated)
            {
                checkState = AuthenticationTypes.Secure;
                searchRoot = new DirectoryEntry(entryPath, userName, pwd, checkState);
            }
            else
            {
                checkState = AuthenticationTypes.None;
                searchRoot = new DirectoryEntry(entryPath, "", "", checkState);
            }

            // Here starts the query
            DirectorySearcher search = new DirectorySearcher(searchRoot)
            {
                SearchScope = System.DirectoryServices.SearchScope.Subtree,
                Filter = "(&" +
                    "(objectClass=person)" +
                    "(cn=" + userName + ")" + 
                ")"
            };
            search.PropertiesToLoad.Add("dn");
            search.PropertiesToLoad.Add("cn");
            search.PropertiesToLoad.Add("distinguishedname");
            SearchResult result = search.FindOne();
           //the rest is how the result being handled.

Line search.FindOne() is where the error being thrown. I have tried:

  1. Using the exact DN to authenticate E.g. OU=Team1,OU=DepartmentA,DC=RMS,DC=com (only one Alex)

  2. Remove the filter for the searchscope.

Can anyone share some light if you have came across this before. Thanks

c#
ldap
asked on Stack Overflow May 22, 2018 by csamleong • edited May 22, 2018 by csamleong

1 Answer

0

The actions appear to be consistent as the FindOne() says:

If more than one entry is found during the search, only the first entry is returned. If no entries are found to match the search criteria, a null reference (Nothing in Visual Basic) is returned.

So how do you know which entry is being found? (i.e do both your "Alex's passwords match?)

You need to define a strategy to handle two user IDs with the same cn (RDN) values.

Generally this is not a good idea. When Alex(1) fails to login he may request a password reset. Even though he knows his password but his login is going against Alex(2).

answered on Stack Overflow May 22, 2018 by jwilleke

User contributions licensed under CC BY-SA 3.0